[571] in Intrusion Detection Systems
2/2 CIAC Bulletin G-10: Winword Macro Viruses
daemon@ATHENA.MIT.EDU (by way of uncl@llnl.gov (Frank Swi)
Fri Feb 9 14:08:14 1996
Date: Wed, 7 Feb 1996 21:21:44 -0800
To: network-managers@llnl.gov, sysadmin@llnl.gov
From: orvis@llnl.gov (Bill Orvis) (by way of uncl@llnl.gov (Frank Swift at Home))
Cc: comp-sec@pierce.llnl.gov
Reply-To: ids@uow.edu.au
web site or from the CIAC archive. A description of the scanner is
available at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool2.htm
and the scanner itself is available at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool20.exe
If you don't find these files at microsoft.com, it could be that the
scanner has been revised again. In that case, connect to:
http://www.microsoft.com
and use the search command to search for "macro virus".
To install the macro virus protection, simply open the template file
with Word and follow the instructions. The macros automatically install
themselves in your global macro file (just like the virus). A protected
version of Word should have the following four macros are attached to
the "normal.dot" file:
AutoExit FileOpen InstVer ShellOpen
FileOpen calls ShellOpen whenever a document is opened. ShellOpen checks
each newly opened document to see if it has any macros attached. If
there are macros in the document that is being opened, ShellOpen
displays a dialog box giving you the choice to open the document anyway,
remove the macros and open it, or cancel the open command.
If, for some reason, you can't use Microsoft's protection macro, you can
disable auto-macros. You have three options:
1. Disable the auto-macros.
2. Disable the auto-macros and the auto-execute macro.
3. Hold down Shift whenever you open a file to disable the AutoOpen
macro.
To disable auto-macros, create the following macro named AutoExec in the
global macro file (normal.dot).
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
All auto-macros are disabled but a virus could still infect a system if
it is activated by a command that replaces a normal command.
To disable auto-macros and the auto-execute macro, create the following
macro in the global macro file (normal.dot) and name it
"DisableMyAutoMacros".
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
In the Program Manager or the Explorer in Windows 95, select the Word
icon and choose the Properties command on the File menu. Add the
following switch to the command line for Word.
/mDisableMyAutoMacros
This command disables the AutoExec macro and runs the
DisableMyAutoMacros procedure when Word starts up. Again, this does not
disable macros with command names from replacing the commands. This also
only works if you start Word by double clicking on the Word icon. If you
start Word by double clicking on a document, it will not see the switch
and will not run the DisableMyAutoMacros procedure.
When you hold down the Shift key while opening or double clicking a
document, the AutoOpen macro is prevented from running. Other auto-
macros may still run so you must check for a virus before doing anything
else.
WARNING: The three methods of disabling auto-macros and the auto-execute
macro do not fully protect you from a virus. While they prevent the
auto-execute and auto-macro commands from running, they do not prevent
any macros named the same as commands from replacing those commands. Any
virus that uses replaced commands to initiate an infection will not be
stopped. Only an external scanner or the Microsoft template will detect
a document containing macros before it is opened.
Removing Macro Viruses
- ----------------------
If you have an anti-virus scanner which detects and removes a macro
virus, use it instead of trying to do it by hand. The scanner will
generally do the job and is much easier than removing the virus by hand.
If you have Microsoft's virus macro protection installed, it will give
you the option to remove any attached macros when you open the document.
If you save the document with the same name, it will overwrite the
infected document.
If you don't have a scanner or the protection macro, you can use the
Organizer to find and remove macro viruses without infecting your
system. The first step is to start Word and open the Organizer dialog
box. There are two ways to open the Organizer: 1. use the Tools Macro
command and press the Organizer button; 2. use the File Templates
command and press the Organizer button. In the Organizer dialog box
click the macros tab, click the Open File button, select the infected
document and click OK. Back in the Organizer dialog box, select all the
macros listed in the file and click the Delete button to remove them.
Click the Close File button to close and save the file. The file can now
be opened normally.
If you have just infected yourself by opening an infected document,
don't close the document or quit Word. If you close the infected file or
quit Word, you run the risk of running another of the auto-execute
macros. See if you can get to the Organizer dialog box. Once in the
Organizer you can delete the virus macros from the infected document and
from the "normal.dot" file. Save those files, quit Word and restart it.
You can then use the Organizer to check other documents for a virus
infection.
If you can't get to the Organizer, quit Word without saving anything,
find the "normal.dot" file and delete it. When you restart Word, it will
create a new, empty "normal.dot" file. Note that you will also lose any
custom styles which were stored in the "normal.dot" file and will have
to redefine them.
On The Macintosh
- ----------------
These macro viruses will run under Word 6 on the Macintosh, but most of
the file access capability used by the viruses to damage a system will
not work well. This is because file naming conventions on the Macintosh
are different from those on other systems. Since the damaging parts of
the viruses are written with a DOS-based file system in mind, it is
unlikely that they will work.
Macro Viruses and E-Mail Messages
- ---------------------------------
Many rumors have been circulated around the network about there being an
e-mail message that destroys your system when you read it (Good Times).
This can not happen with the current batch of mail readers. While an
infected document could be attached to an e-mail message and would be
downloaded to your disk when you read the attached message, it will not
automatically be executed. As long as it has not been executed or read,
it can not infect your system with a virus. At this point, you should
scan it to make sure it is not infected.
Conclusions
- -----------
Macro viruses are here to stay and we must deal with them in the same
manner that we have had to deal with other viruses. If you don't know
where a file has been, don't use it in your computer until you scan it.
That is, if it is an executable, don't run it; if it is a document,
don't open it. It does not matter how you obtained the file, whether it
is a download from a BBS or web site, an attachment to an e-mail
message, or a shrink-wrapped package from a commercial developer, scan
them all. Even blank, preformatted disks are occasionally showing up
with viruses.
The second thing to do is to install the Microsoft macro virus
protection template to warn you if a document contains macros before you
open it.
Keep in mind that while Microsoft products are being targeted by these
viruses, they are not the only products which have a macro capability
which could be exploited. Hopefully, in the next release of software
programs which include extensive macro capabilities, there will be an
easy way to disable macro execution and warn the user if documents
contain macros. This change will make the problem of macro viruses go
away very quickly.
______________________________________________________________________________
CIAC wishes to acknowledge the help of Michael Messuri and Charles Renert of
Symantec Corp. and Chuck Noble of Digital Equipment Corp. for valuable
assistance in the preparation of this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer security
incident response team for the U.S. Department of Energy (DOE) and the backup
response team for the National Institute of Health (NIH). CIAC is located at
the Lawrence Livermore National Laboratory in Livermore, California. CIAC is
also a founding member of FIRST, the Forum of Incident Response and Security
Teams, a global organization established to foster cooperation and
coordination among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH.
CIAC can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites, and the
NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call
the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (14.4K baud)
+1 (510) 423-3331 (14.4K baud)
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these communities,
please contact your agency's response team to report incidents. Your agency's
team will coordinate with CIAC. The Forum of Incident Response and Security
Teams (FIRST) is a world-wide organization. A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government or the University of California, and shall not
be used for advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
(F-28) Vulnerability in SunOS 4.1.* Sendmail (-oR option)
(G-1) Telnetd Vulnerability
(G-2) SunOS 4.1.X Loadmodule Vulnerability
(G-3) AOLGOLD Trojan Program
(G-4) X Authentication Vulnerability
(G-5) HP-UX FTP Vulnerability Bulletin
(G-6) Windows 95 Vulnerabilities
(G-7) SGI Object Server Vulnerability
(G-8) splitvt(1) Vulnerability
(G-9) Unix sendmail vulnerability
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows,
beta release of Merlin, Microsoft Word Macro Viruses,
Allegations of Inappropriate Data Collection in Win95
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBMReb5rnzJzdsy3QZAQFzdwP/d9yKlOO7Q+KLOAcFwixeL7gdFnCV7Mnj
F+LcPMQV2J57t9LxlDIPnRbK+wiUHiSKZQN0HCnJqEoHTvlPWel6OL4POyVV80qY
BgF+uOJY3ngn3o+FK8tdLfuqgLzYpaJBsXhMsumizs4EBkzMZgu/JAsV6nmFaPl8
x5pFSTNbTqA=
=GtxK
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
William J. Orvis orvis@llnl.gov
Electronics Engineering Department (510) 422-8649
Lawrence Livermore National Laboratory (FAX) (510) 423-8002
P.O. Box 808, L-303
Livermore, CA 94551
Computer Incident Advisory Capability - CIAC ciac@llnl.gov
(510) 422-8193
---------------------------------------------------------------------
